Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Fix potential Race Condition in Session Scope Management

Description

Race condition in ScopeContext.getCFSessionScope() can cause a single user to create multiple session objects, leading to session data loss during normal application usage.

The session scope management in Lucee has a race condition where multiple simultaneous requests from the same user can create different new session objects. This occurs because the check-then-act pattern in getCFSessionScope() is not properly synchronized.

When two requests from the same user arrive simultaneously:

  1. Both check if a session exists

  2. Both determine no session exists (or needs recreation)

  3. Both create separate session objects

  4. The last one to complete overwrites the other in the storage map

  5. The user loses data stored in the first session object

The result is that users may experience loss of session data, inconsistent session state across requests, and the need to re-login or re-establish session state unexpectedly.

Proposed Fix

Implement double-checked locking in the getCFSessionScope() method. This ensures that for each CFID, only one thread at a time can create or modify the session structure, preventing the creation of multiple session objects for the same user.

Impact

This issue can cause:

  • Loss of session data for users

  • Unexpected logouts

  • Shopping cart data disappearing

  • Form submissions requiring repetition

  • General inconsistent user experience

Activity

Show:

Pothys - MitrahSoft 17 March 2025 at 12:22

I have tested this ticket with Lucee version 6.2.1.68-SNAPSHOT. When I ran concurrent requests and checked the session_id, multiple sessions were created on the initial load.

Here is my test code:
index.cfm,

<cfif NOT structKeyExists(session, "user_data")> <cfset session.user_data = "initial_data"> </cfif> <cfset session.user_data = session.user_data & " updated"> <cfoutput> Session ID: #session.sessionid#<br> User Data: #session.user_data#<br> </cfoutput>
<script> for (let i = 0; i < 10; i++) { fetch('index.cfm', { method: 'GET', credentials: 'same-origin' }).then(response => response.text()).then(data => { }) } </script>

Michael Offner 11 March 2025 at 16:11

Michael Offner 11 March 2025 at 15:56

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Fix versions

Priority

Created 11 March 2025 at 15:52
Updated 17 March 2025 at 12:26

Flag notifications